RE: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks

From: Ahmed, Balal (balal.ahmed_at_capgemini.com)
Date: 05/05/04

  • Next message: Gwendolynn ferch Elydyr: "Re: [fw-wiz] Cannot send mail" 
    To: "'Mikael Olsson'" <mikael.olsson@clavister.com>, "Ahmed, Balal" <balal.ahmed@capgemini.com>
Date: Wed, 5 May 2004 16:40:15 +0100

    Cisco have advised me that PIX Images need to be upgraded to special release
    versions which have to be obtained through TAC. They have not explained how
    the new image will mitigate this vulnerability though.

    The latest Checkpoint HotFix can mitigate this for the entire network that
    is segmented by a module. Checkpoint do this by checking Sequence numbers in
    RST packets and discard out of state RST packets. This has the potential to
    break Legacy non RFC compliant apps.

    It would be nice to have a detailed breakdown and analysis from Cisco
    regarding this.

    -----Original Message-----
    From: firewall-wizards-admin@honor.icsalabs.com
    [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Mikael
    Olsson
    Sent: 05 May 2004 14:01
    To: Ahmed, Balal
    Cc: 'firewall-wizards@honor.icsalabs.com'
    Subject: Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks

    "Ahmed, Balal" wrote:
    >
    > If a PIX, or any other firewall/device for that matter, is performing
    > NAPT/Hide NAT/PAT/NAT then as far as the TCP conversation is concerned is
    it
    > a connection end point or a transit device ?

    Conceptually, it is a transit device, however ...

    > [...] Having said this, I have seen PIX's teardown
    > connections on seeing a RESET-O arrive from the outside. Does this mean
    that
    > the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco
    > have implemented NAT?

    It used to immediately tear down connections immediately upon receiving
    any RST with matching IPs and ports. This was changed back in 2000:
    http://www.cisco.com/warp/public/707/pixtcpreset-pub.shtml
    where they verify the sequence number of the RST.

    However, as far as I know (though note that I'm in no way a
    cisco/pix expert) they'd still tear down the connection immediately
    upon receiving a RST, so this would still make the NAPT implementation
    vulnerable to a sequence sweep of RSTs. Assuming you know the
    source port, that is.

    HOWEVER, predicting the source port on a busy NAPT is no fun - you go
    from ~32K packets * a few ports to try to ~32K packets * 64K ports [1].
    This is quite a lot of packets. Just trying all of them in a meaningful
    time would mean a packet rate comparable to an all-out DDoS, which is
    an attack in and of itself - and a much more "meaningful" one, at that.

    I still believe that the #1 impact of this vulnerability, as seen in an
    Internet-wide perspective, is killing BGP sessions in core routers.
    Do it a few times to trigger route flap detection, and you'll isolate
    large chunks of the net from eachother, or, worst case, from the rest
    of the Internet. 

    -- 
Mikael Olsson, Clavister AB
Torggatan 10, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
[1] possibly divided by the number of simultaneous connections to the 
    same endpoint if "killing some connections for the fun of it" is 
    all you're after.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Our name has changed, please update your address book to the following format for the latest identities received "recipient@capgemini.com".
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Gwendolynn ferch Elydyr: "Re: [fw-wiz] Cannot send mail"

    Relevant Pages

    • Re: Help needed: TCP Wizards (was 8.0-RC1 NFS client timeout issue)
      ... server, ... I can't see anywhere else that the TCP stack would send an RST and, so, ... Hmm, did a tcpdump in the client and, yes, the same packets were there. ... that it was the Cisco switch that was doing the injecting. ...
      (freebsd-current)
    • Re: Help needed: TCP Wizards (was 8.0-RC1 NFS client timeout issue)
      ... The description you've provided suggests your network admins are configuring end-user ports with "Port Fast" to avoid the time required to do spanning tree learning & detection; they want you to not use a switch or hub on such ports to avoid the risk of creating a loop. ... Cisco routers have some options which cause them to drop packets and disable the port in such a mode if it sees more than the allowed # of ether MAC addresses coming from that port, or if it receives BPDU packets indicating that a switch was connected to the port; however, this wouldn't cause RST packets to be generated, you'd just lose your uplink. ... Seeing forged RST packets suggests that something like the Sandvine PTS equipment is also around on that network. ...
      (freebsd-current)
    • Re: port 0 not stealth
      ... >>Obviously this is more secure than sending RST, ... >>port scans, since they will need to time out if no reply is received. ... Not sending an RST does not hide your computer at all. ... > connections from any other hosts than the one it connected to in the ...
      (comp.security.firewalls)
    • Re: [fw-wiz] CIsco PIX vulnerable to TCP RST DOS attacks
      ... > If a PIX, or any other firewall/device for that matter, is performing ... Conceptually, it is a transit device, however ... ... > the PIX IS susceptible to the TCP RST vulnerability due to the way Cisco ... It used to immediately tear down connections immediately upon receiving ...
      (Firewall-Wizards)
    • [Full-Disclosure] Re: [VulnDiscuss] Re: [VulnWatch] TCP Reset Attacks: Paper and Code Now Availble
      ... >> RST packets are recieved. ... Thus Cisco IOS is basically not affected. ... > other side with SYN segments. ... > know how he was able to attack those TCP connections with RST segments. ...
      (Full-Disclosure)